⚠️ Draft — pending legal review before publication
Version: 1.0In force since:

Data Processing Agreement (DPA)

Between the Professional Customer (Controller) and iBetterCoach (Processor)

Version: 1.0 Date: [to be defined]

⚠️ Notice: Template prepared as a foundation. Requires review by a Portuguese lawyer specialised in GDPR before being used with real customers.

Recitals

This Data Processing Agreement ("DPA") governs the processing of personal data carried out by iBetterCoach ("Processor") on behalf of the Professional Customer ("Controller") in the context of the use of the iBetterCoach platform.

This DPA forms an integral part of the Terms of Use and applies whenever the Professional Customer, acting as a Personal Trainer, nutritionist, physical education teacher, physiotherapist or other health, sports or wellness professional, collects, stores or processes personal data of Athletes (data subjects) through the Platform.

In case of conflict between this DPA and the Terms of Use, the DPA prevails as regards the processing of personal data.

1. Definitions

The terms used in this DPA have the meaning given to them by Regulation (EU) 2016/679 (GDPR), namely:

  • Personal Data: any information relating to an identified or identifiable natural person.
  • Processing: any operation or set of operations performed on personal data.
  • Controller: the person who determines the purposes and means of processing. In this DPA, the Professional Customer.
  • Processor: the person who processes personal data on behalf of the Controller. In this DPA, iBetterCoach.
  • Sub-processor: a third party engaged by the Processor to assist in the processing (e.g., Clerk, Supabase, Vercel).
  • Data Subject: the Athlete whose personal data are processed.
  • Health Data: personal data concerning the physical or mental health of the data subject, including the provision of healthcare services, qualified as a special category under Article 9 GDPR.
  • Personal Data Breach: a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

2. Subject matter and duration

2.1 Subject matter

iBetterCoach processes, on behalf of the Professional Customer, personal data necessary to:

  • Manage the professional relationship between the Customer and the Athletes
  • Collect health anamnesis and physical assessment
  • Generate training and nutrition prescriptions with the support of the algorithmic engine and the AI layer
  • Track progress, log sessions and enable Customer-Athlete communication
  • Integrate with wearables (when authorised by the Athlete)
  • Generate clinical projections (CurrentClinicalView, ClinicalDeltaView, TrainingImplicationsView, NutritionImplicationsView)

2.2 Duration

This DPA remains in force for as long as the Professional Customer uses the Platform and terminates automatically upon account closure, without prejudice to obligations that must survive termination (return or deletion of data, confidentiality, cooperation with data subject requests).

3. Types of data and data subjects

3.1 Categories of Personal Data processed

  • Identification data: name, date of birth, sex, photo, contact details
  • Anthropometric data: weight, height, perimeters, body fat percentage, bioimpedance data
  • Health data (special category, Art. 9 GDPR): clinical anamnesis, medical history, medication, allergies, injuries, medical restrictions, wearable data (heart rate, HRV, sleep, continuous glucose where applicable)
  • Sports data: goals, training history, 1RM, loads, volumes, progression
  • Nutritional data: preferences, restrictions, intolerances, food log
  • Usage data: access logs, Platform interactions, prescriptions generated

3.2 Categories of Data Subjects

  • Athletes registered by the Professional Customer on the Platform
  • Customer team members (interns, assistants, co-trainers) authorised by the Customer

4. Obligations of iBetterCoach (Processor)

iBetterCoach undertakes to:

  1. Process personal data only on documented instructions from the Professional Customer, except where required by law. The Terms of Use, this DPA and the Platform configurations constitute valid documented instructions.

  2. Ensure that persons authorised to process the data (employees and contractors) are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.

  3. Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (without limitation):

    • Encryption in transit (TLS 1.2+) and at rest (AES-256)
    • Pseudonymisation where applicable
    • Strong authentication and granular permission management (Clerk + Supabase Row Level Security)
    • Regular backups with restore tests
    • Access log monitoring and anomaly detection
    • Business continuity and disaster recovery plan
    • GDPR and security training for the team

  4. Respect the conditions for engaging sub-processors as set out in Section 5.

  5. Assist the Professional Customer, insofar as possible and taking into account the nature of the processing, to:

    • Respond to data subject rights requests by Athletes
    • Comply with the security obligations of Articles 32 to 36 GDPR
    • Conduct Data Protection Impact Assessments (DPIA)

  6. Notify the Customer without undue delay and within 48 hours after becoming aware of a personal data breach affecting the Customer.

  7. Upon termination of the services, and at the Customer's choice, return or delete all personal data, unless EU or Portuguese law requires its retention.

  8. Make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow audits, including inspections, conducted by the Customer or by another auditor mandated by the Customer, with reasonable prior notice and no more than once per year (except in case of incident).

  9. Maintain a Record of Processing Activities under Article 30(2) GDPR.

5. Sub-processors

5.1 General authorisation

The Professional Customer expressly authorises iBetterCoach to engage sub-processors for the provision of the service, namely:

Sub-processorServiceLocationSafeguard
Supabase Inc.PostgreSQL database, alternative authentication, storageEU (Frankfurt)DPA + SCC
Clerk Inc.Authentication, user management and organization managementUSADPA + SCC + DPF
Vercel Inc.Hosting, edge functions, CDNEU (Frankfurt) preferredDPA + SCC + DPF
Anthropic, PBC (AI filler layer)Auxiliary text generation from pseudonymised prompts — no access to identifiable health dataUSADPA + SCC + opt-out from training enabled
Transactional email provider (TBD, e.g., Resend, Postmark, SendGrid)Service email deliveryEU preferredDPA + SCC

Note on the payment chain. iBetterCoach uses Clerk as a sub-processor for authentication and organization management, and uses Stripe, Inc. directly as payment processor. The Customer's card data (PAN, CVV) is tokenised directly in the browser by Stripe, so neither iBetterCoach nor Clerk receive or store it.

The up-to-date list of iBetterCoach's sub-processors is available at [URL to be defined]/legal/sub-processors.

5.2 Notification of changes

iBetterCoach will notify the Customer at least 30 days in advance of any change to the list of sub-processors (addition, replacement, removal). The Customer may object on reasonable grounds within 14 days. If the objection is reasonable, iBetterCoach will seek an alternative; if none is feasible, the Customer may terminate the contract without penalty.

5.3 Liability

iBetterCoach remains fully liable to the Customer for compliance with GDPR obligations by sub-processors.

6. Data subject rights

iBetterCoach provides the Professional Customer with technical tools to respond to Athlete requests regarding their rights, namely:

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure / right to be forgotten (Art. 17)
  • Restriction of processing (Art. 18)
  • Portability (Art. 20) — export in structured format (JSON, CSV)
  • Objection (Art. 21)
  • Not subject to automated decision-making (Art. 22) — the Platform ensures that no prescription takes effect without human validation by the professional

If an Athlete contacts iBetterCoach directly, iBetterCoach will forward the request to the Professional Customer without delay.

7. International transfers

Whenever personal data are transferred outside the EEA, iBetterCoach ensures the application of Standard Contractual Clauses (SCC) approved by Commission Implementing Decision (EU) 2021/914, supplemented where necessary by additional measures (enhanced encryption, pseudonymisation, contractual restrictions on access by public authorities), in compliance with the Schrems II ruling (C-311/18) and the current EU-US Data Privacy Framework.

8. Security and data breaches

8.1 Security measures

iBetterCoach maintains a set of technical and organisational measures detailed in the security-guidelines.md governance document, continuously updated.

8.2 Breach notification

In the event of a personal data breach, iBetterCoach:

  1. Notifies the Customer within 48 hours of becoming aware, with:
    • Nature of the breach and categories of data involved
    • Approximate number of Data Subjects and records affected
    • Likely consequences
    • Measures taken or proposed to mitigate
  2. Cooperates fully with the Customer for the notification to CNPD (within 72h) and, where applicable, to the Data Subjects.

9. Audits

The Customer has the right to audit iBetterCoach's compliance with this DPA, subject to:

  • Written request 30 days in advance
  • Maximum frequency of one audit per year (except in case of incident)
  • Independent auditor bound by confidentiality
  • Costs borne by the Customer, unless the audit reveals material non-compliance

iBetterCoach may alternatively provide third-party audit reports (e.g., SOC 2, ISO 27001, GDPR audit by an independent body) that satisfy the request.

10. Return and deletion of data

Upon termination of the contract, and at the Customer's option exercised within 30 days, iBetterCoach will:

  • Return the personal data in structured format (JSON or CSV) via a secure mechanism, or
  • Delete all personal data

After 30 days without instructions from the Customer, iBetterCoach automatically deletes the data, unless legal retention obligations apply.

11. Liability

Each Party is liable for damages caused by breach of its obligations under Article 82 GDPR. iBetterCoach's liability towards the Customer is subject to the limitation of liability set out in the Terms of Use, except in cases of wilful misconduct or gross negligence.

12. Governing law and jurisdiction

This DPA is governed by Portuguese law. Any dispute shall be submitted to the courts of [to be defined], with express waiver of any other jurisdiction.

13. Acceptance

This DPA is deemed accepted by the Professional Customer upon account creation on the Platform and/or upon the first upload of Athlete personal data, without the need for a physical signature, in line with Article 28(9) GDPR which permits electronic form.

The Customer may request a bilaterally signed version at dpo@ibettercoach.com.

Document prepared for iBetterCoach. Requires formal legal review before publication.

This document may be updated. The version in force is always the one available on this page.

Other legal documents